Vulnerability in POWER METER SICAM Q200 Family and SICAM P850/P855 Products by Siemens
CVE-2022-43439

9.9CRITICAL

Key Information:

Vendor: Siemens
Status: Power Meter Sicam Q100; Sicam P850; Sicam P855
Vendor: CVE Published:; 8 November 2022

Summary

A vulnerability exists in the POWER METER SICAM Q200 family and the SICAM P850/P855, affecting versions below specified thresholds. The devices fail to properly validate the Language-parameter in requests made to the web interface over port 443. This oversight allows an authenticated remote attacker to disrupt the device's functioning by causing it to crash, which is followed by an automatic reboot. Additionally, it opens the possibility for arbitrary code execution, posing significant security risks to systems utilizing these meters.

Affected Version(s)

POWER METER SICAM Q100 All versions < V2.50

References

https://cert-portal.siemens.com/productcert/pdf/ssa-57200...

https://cert-portal.siemens.com/productcert/pdf/ssa-57029...

https://cert-portal.siemens.com/productcert/pdf/ssa-88724...

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 8, 2022
Vulnerability Reserved
Oct 19, 2022